HTB – Irked

Today we are going to solve another CTF challenge “irked”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of irked is 10.10.10.117

Scanning

Let’s start off with our basic Nmap command to find out the open ports and services.

It gave us a frustrated emoji when exploring port 80, as shown below, and some hints for irc are working. This image might have some hidden information, so I download this image and begin to penetrate it.

Enumeration

I tried to extract hidden information with the help of steghide, but we need to find the passphrase for that.

root@kali:~/htb# steghide extract -sf irked.jpg
Enter passphrase:

Exploiting

Fortunately, I found an exploit for unrealircd in Metasploit, although the default port for ircd is 6667, it runs on 6697 here. I pwned the victim machine successfully after running the module.

So, as you can see, we’ve got the victim’s machine command session,We found frustrated emoji in the beginning, requiring a passphrase to extract the hidden text behind the image. So, as a passphrase, I use the password above and found a pass.txt file from within irked.jpg.

It looks like the exploit is to connect and then send “AB;” + the payload + “\n”.

Privilege Escalation

First, I open the user.txt file and finish the first challenge. Now let’s penetrate more to find the root.txt file, and that’s why we need to increase the privilege, so I’m trying to find out if there’s any suid permission script.Here /usr/bin/viewuser looks more interesting, let’s check it out.

So, when I run the program, I found that this application was being developed to set test user permissions but couldn’t find listusers file within /tmp. This program is, therefore, searching for data from the listusers file and the file is missing from the directory inside /tmp.

So what we can do is write a script to call bin / sh and save it as listusers inside /tmp and then run the viewuser to run it.